Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

Ticketmaster

[suso]

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

Re:Ticketmaster

[Number42]

A 250-character password isn't nearly strong enough. The company's limiting my safety by not allowing the extremely secure 10×10^10 character password I thought of!

Re:Top gun manufacturers fail to protect users

[causality]

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

not really a huge deal...

[Connie_Lingus]

it's a lot harder to actually steal money online then people think.

Re:not really a huge deal...

[Anubis+IV]

From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

...and this wont change because

[mnt]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Re:...and this wont change because

[tlhIngan]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Well, the first question I have is... why?

I mean, I run into websites that declared themselves so important that the password HAD to be complex. Which is great, except I only accessed it once every few months, and ended up clicking "Forgot Password" anyways because they wouldn't accept a simple one.

No, all the site had were software downloads.

So really - it's another case of "web site is SOOOOOOOOOOO IMPORTANT!" syndrome where the website believes it's the be-all-end-all of websites and wants everyone to use a strong password. User sees it as just a web site that they don't care much about and wants to use a simple crappy one, because well, who really cares?

This is especially true if it's a one-off purchase. I mean, I run into many places that require you to register so you can buy from them. Except that the product I bought was all I needed and all I was going to need. So now I have to create an account and come up with a strong password that I'll never bother using again?

Slashvertisement.

[khasim]

Vendor of X does a study showing that people would be safer using X.

The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

My bank enforces stupid passwords

[allsorts46]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

Re:My bank enforces stupid passwords

[mmell]

So you're actively trying to get yourself arrested?

Re:My bank enforces stupid passwords

[allsorts46]

Password reset process doesn't necessarily need it either. You can just tell the user '*if* you entered a valid username, we're sending you reset instructions', without revealing whether there was a match or not.

Tobuscus Got It Right

[TheSwift]

This is getting effing ridiculous.

https://www.youtube.com/watch?v=jQ7DBG3ISRY

1, 2, 3, 4, 5

[SGDarkKnight]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]

Re:correct horse battery staple

[Holladon]

Eh. It kinda works. If your goal is to invade Amazon accounts using the method laid out in the strip, it's that much easier to do because by allowing you to use anything for a password, they're more likely to have people using simple repeat passwords that, even if not common for everyone, are common for the user. If those sites had more stringent requirements, you couldn't use your childhood dog's name as a password like you've been doing for various account passwords since high school.

But yeah -- this xkcd was probably the more applicable strip.

They're probably not hashing them.

[khasim]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

Be worried about that bank's security.

Using a service on a user's behalf

[tepples]

A salted hash of the user's password is fine for authenticating the user to your own service. But it doesn't help when your service needs to authenticate to another service to perform actions on that user's behalf. Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B. How should service A protect these credentials from an intruder?

Re:Top gun manufacturers fail to protect users

[ShanghaiBill]

the notion of protecting people from themselves is fundamentally flawed.

Yet traffic deaths are at a sixty year low despite a quadrupling of the number of cars and drivers. When common sense safeguards, such as seat belts, were first proposed, the auto industry made the same argument you are using here: "Our customers are stupid, and deserve what they get."

Re:Top gun manufacturers fail to protect users

[x0ra]

how is more death on the road necessarily "bad" ? If Joe the Plumber crash and was not wearing a sit belt, well, too bad for him. Why should the government try to protect people from themselves ?

Password length is important

[knarfling]

Several years ago, I used to work for a now defunct online web site company that provided websites to customers. Customers were required to activate their site and sign in to a site management web page. Although the password policy was not as sophisticated as it should have been, we did require password to be between 6 and 16 characters.

We received an email from one customer who was helping a new customer activate and sign up for the web management page. The new customer liked to pick passwords based on a mild shock value and wanted to use "Penis" as his password. The customer wanted us to know that they almost died laughing when the web page responded back with the message:
"Password rejected. Not long enough. Please try another."

Remember, password length is important. Choose your length wisely.

Re: I don't understand length limits

[cbhacking]

Yes, yes, one in every 10^85 random passphrases with have the same SHA256 hash. OH NOES! Meanwhile, unhashed (or weakly hashed) passwords are trivial to reverse (and then use to log in as those users, or to try logging in as them on other sites as well) as soon as the password database gets dumped. Such dumps happen all the time. I would be willing to wager that in the entire history of the Internet, nobody has blindly (i.e. without knowing the hash they were trying to generate) stumbled onto a password verifier hash collision (i.e. not simply guessing the user's actual password, but trying a different one and having it accepted anyhow) if a cryptographically secure hash was used (hell, I'll even allow the use of the broken and deprecated MD5).

"strictly speaking storing hashes is less secure" my ASS. You are full of bullshit, oh random AC.